topic Re: Grouping within multivalued fields in Splunk Search https://community.splunk.com/t5/Splunk-Search/Grouping-within-multivalued-fields/m-p/551904#M156615 <P>I think I make this work! Thank you&nbsp;<span class="lia-unicode-emoji" title=":grinning_face:">😀</span></P> Mon, 17 May 2021 17:08:24 GMT chaday00 2021-05-17T17:08:24Z Grouping within multivalued fields https://community.splunk.com/t5/Splunk-Search/Grouping-within-multivalued-fields/m-p/551891#M156613 <P>I have built a query that exports data by a date range and based on a scan or source. Currently I'm grouping them into a multivalued field so that I can have 1 row per source and can easily see all the impacted data by date range (see below):</P><TABLE width="1004"><TBODY><TR><TD width="64">Source</TD><TD width="417">Within 30 Days</TD><TD width="247">30-60 Days</TD><TD width="92">60-90 Days</TD><TD width="184">90+ Days</TD></TR><TR><TD>scan1.csv</TD><TD width="417"><P>Low<BR />SSL/TLS Diffie-Hellman Modulus &lt;= 1024 Bits (Logjam)<BR />192.168.0.1</P></TD><TD width="247"><P>Medium<BR />SSL Certificate Cannot Be Trusted<BR />192.168.0.1</P></TD><TD>&nbsp;</TD><TD width="184"><P>Medium<BR />SMB Signing not required<BR />192.168.0.15</P></TD></TR><TR><TD width="417"><P>&nbsp;</P></TD><TD width="247"><P>Low<BR />SSL/TLS Diffie-Hellman Modulus &lt;= 1024 Bits (Logjam)<BR />192.168.0.15</P></TD><TD>Medium<BR />SSL Self-Signed Certificate<BR />192.168.0.1</TD></TR><TR><TD width="417"><P>&nbsp;</P></TD><TD>Medium<BR />SMB Signing not required<BR />192.168.0.1</TD><TD>&nbsp;</TD></TR><TR><TD width="417"><P>&nbsp;</P></TD><TD>Medium<BR />SSL Certificate Cannot Be Trusted<BR />192.168.0.15</TD><TD>&nbsp;</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>As you can see above with the Logjam finding, I'm repeating the 'Severity' and 'Plugin Name' respectively with a unique IP address. I'd like, however, to only see the new IP address in this instance (see below) but have been unable to find a way to group by 'severity' and 'plugin_name' within the multivalued group.&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="desired output" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14188i9247FD4ADEDE7955/image-size/large?v=v2&amp;px=999" role="button" title="desired_output.png" alt="desired output" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">desired output</span></span></P><P>Using the test data below, you can use this search string to reproduce the 1st table above:</P><P>&nbsp;</P><LI-CODE lang="markup">| inputlookup test.csv | eval epochTime=now()-firstSeen | eval dateRange=case(epochTime &lt;= (86400*30), "Within 30 Days" , epochTime &gt;= (86400*31) AND epochTime &lt;= (86400*60), "30-60 Days", epochTime &gt;= (86400*61) AND epochTime &lt;= (86400*90), "60-90 Days", epochTime &gt; (86400*91), "90+ Days") | dedup severity plugin_name ipv4 | sort severity plugin_name ipv4 | eval findings30days=case(dateRange=="Within 30 Days", mvappend(severity, plugin_name, ipv4)) | eval findings3060days=case(dateRange=="30-60 Days", mvappend(severity, plugin_name, ipv4)) | eval findings6090days=case(dateRange=="60-90 Days", mvappend(severity, plugin_name, ipv4)) | eval findingsOver90days=case(dateRange== "90+ Days", mvappend(severity, plugin_name, ipv4)) | rename source AS Scan, severity AS Severity, plugin_name AS "Plugin Name", dateRange AS Age, ipv4 AS IP | stats list(findings30days) AS "Within 30 Days" list(findings3060days) AS "30-60 Days" list(findings6090days) AS "60-90 Days" list(findingsOver90days) AS "90+ Days" by Scan</LI-CODE><P>&nbsp;</P><P>Below is some sample data that may be useful:</P><P>source&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; severity&nbsp;&nbsp; ipv4&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; plugin_name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; firstSeen</P><P>scan1.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Medium&nbsp; 192.168.0.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL Certificate Cannot Be Trusted&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1617212174</P><P>scan1.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Medium&nbsp; 192.168.0.15&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL Certificate Cannot Be Trusted&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1617212174</P><P>scan1.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Medium&nbsp; 192.168.0.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL Self-Signed Certificate&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1619459159</P><P>scan1.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Medium&nbsp; 192.168.0.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL Certificate with Wrong Hostname&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1619459159</P><P>scan1.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Medium&nbsp; 192.168.0.15&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL Self-Signed Certificate&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1617212174</P><P>scan1.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Medium&nbsp; 192.168.0.15&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL Certificate with Wrong Hostname&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1617212174</P><P>scan1.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Medium&nbsp; 192.168.0.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TLS Version 1.0 Protocol Detection&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1619459159</P><P>scan1.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Medium&nbsp; 192.168.0.15&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TLS Version 1.0 Protocol Detection&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1619459159</P><P>scan2.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Medium&nbsp; 192.168.0.2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TLS Version 1.0 Protocol Detection&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1619459159</P><P>scan2.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Medium&nbsp; 192.168.0.2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL Certificate with Wrong Hostname&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1619459159</P><P>scan2.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Medium&nbsp; 192.168.0.2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL Certificate Cannot Be Trusted&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1619459159</P><P>scan2.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Medium&nbsp; 192.168.0.3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; TLS Version 1.0 Protocol Detection&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1619459159</P><P>scan2.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Medium&nbsp; 192.168.0.3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL Certificate with Wrong Hostname&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1620053764</P><P>scan2.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Medium&nbsp; 192.168.0.3&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL Certificate Cannot Be Trusted&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1620053764</P><P>scan1.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Medium&nbsp; 192.168.0.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL RC4 Cipher Suites Supported (Bar Mitzvah)&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1620053764</P><P>scan1.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Medium&nbsp; 192.168.0.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL Medium Strength Cipher Suites Supported (SWEET32) 1620053764</P><P>scan1.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Low&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.0.15&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL/TLS Diffie-Hellman Modulus &lt;= 1024 Bits (Logjam)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1620053764</P><P>scan1.csv &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Low&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.0.1&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SSL/TLS Diffie-Hellman Modulus &lt;= 1024 Bits (Logjam)&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 1620053764</P><P>Current output in Splunk is below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="current output" style="width: 999px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/14187i098728EAD663DE30/image-size/large?v=v2&amp;px=999" role="button" title="test.png" alt="current output" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">current output</span></span></P> Mon, 17 May 2021 16:12:53 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-within-multivalued-fields/m-p/551891#M156613 chaday00 2021-05-17T16:12:53Z Re: Grouping within multivalued fields https://community.splunk.com/t5/Splunk-Search/Grouping-within-multivalued-fields/m-p/551901#M156614 <P>The bit before the blank lines reproduces the data you supplied (thanks for that - very useful). The extra two lines I inserted gather the ip addresses with the same severity and plugin name, and later join the mv field with new lines so the final stats has each part listed in the mv fields separately.</P><LI-CODE lang="markup">| makeresults | eval _raw="source,severity,ipv4,plugin_name,firstSeen scan1.csv,Medium,192.168.0.1,SSL Certificate Cannot Be Trusted,1617212174 scan1.csv,Medium,192.168.0.15,SSL Certificate Cannot Be Trusted,1617212174 scan1.csv,Medium,192.168.0.1,SSL Self-Signed Certificate,1619459159 scan1.csv,Medium,192.168.0.1,SSL Certificate with Wrong Hostname,1619459159 scan1.csv,Medium,192.168.0.15,SSL Self-Signed Certificate,1617212174 scan1.csv,Medium,192.168.0.15,SSL Certificate with Wrong Hostname,1617212174 scan1.csv,Medium,192.168.0.1,TLS Version 1.0 Protocol Detection,1619459159 scan1.csv,Medium,192.168.0.15,TLS Version 1.0 Protocol Detection,1619459159 scan2.csv,Medium,192.168.0.2,TLS Version 1.0 Protocol Detection,1619459159 scan2.csv,Medium,192.168.0.2,SSL Certificate with Wrong Hostname,1619459159 scan2.csv,Medium,192.168.0.2,SSL Certificate Cannot Be Trusted,1619459159 scan2.csv,Medium,192.168.0.3,TLS Version 1.0 Protocol Detection,1619459159 scan2.csv,Medium,192.168.0.3,SSL Certificate with Wrong Hostname,1620053764 scan2.csv,Medium,192.168.0.3,SSL Certificate Cannot Be Trusted,1620053764 scan1.csv,Medium,192.168.0.1,SSL RC4 Cipher Suites Supported (Bar Mitzvah),1620053764 scan1.csv,Medium,192.168.0.1,SSL Medium Strength Cipher Suites Supported (SWEET32),1620053764 scan1.csv,Low,192.168.0.15,SSL/TLS Diffie-Hellman Modulus &lt;= 1024 Bits (Logjam),1620053764 scan1.csv,Low,192.168.0.1,SSL/TLS Diffie-Hellman Modulus &lt;= 1024 Bits (Logjam),1620053764" | multikv forceheader=1 | fields - _* linecount | eval epochTime=now()-firstSeen | eval dateRange=case(epochTime &lt;= (86400*30), "Within 30 Days" , epochTime &gt;= (86400*31) AND epochTime &lt;= (86400*60), "30-60 Days", epochTime &gt;= (86400*61) AND epochTime &lt;= (86400*90), "60-90 Days", epochTime &gt; (86400*91), "90+ Days") | dedup severity plugin_name ipv4 | stats list(*) as * by dateRange source plugin_name severity | eval findings30days=case(dateRange=="Within 30 Days", mvappend(severity, plugin_name, ipv4)) | eval findings3060days=case(dateRange=="30-60 Days", mvappend(severity, plugin_name, ipv4)) | eval findings6090days=case(dateRange=="60-90 Days", mvappend(severity, plugin_name, ipv4)) | eval findingsOver90days=case(dateRange== "90+ Days", mvappend(severity, plugin_name, ipv4)) | rename source AS Scan, severity AS Severity, plugin_name AS "Plugin Name", dateRange AS Age, ipv4 AS IP | foreach findings* [| eval &lt;&lt;FIELD&gt;&gt;=mvjoin(&lt;&lt;FIELD&gt;&gt;," ")] | stats list(findings30days) AS "Within 30 Days" list(findings3060days) AS "30-60 Days" list(findings6090days) AS "60-90 Days" list(findingsOver90days) AS "90+ Days" by Scan</LI-CODE> Mon, 17 May 2021 16:53:52 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-within-multivalued-fields/m-p/551901#M156614 ITWhisperer 2021-05-17T16:53:52Z Re: Grouping within multivalued fields https://community.splunk.com/t5/Splunk-Search/Grouping-within-multivalued-fields/m-p/551904#M156615 <P>I think I make this work! Thank you&nbsp;<span class="lia-unicode-emoji" title=":grinning_face:">😀</span></P> Mon, 17 May 2021 17:08:24 GMT https://community.splunk.com/t5/Splunk-Search/Grouping-within-multivalued-fields/m-p/551904#M156615 chaday00 2021-05-17T17:08:24Z